Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5888:CyberArk fails to issue the ‘su’ command correctly to change the root password on the machine

Authentication Service ,  

31 May,16 at 05:03 PM

Applies to: All Centrify Direct Control versions.

Problem:
When  an AIX or Linux server with Cyberark is joined to the AD domain, CyberArk fails to issue the ‘su’ command correctly to change the root password on the machine. 
It gets mangled to ’s?u’. This only happens after the machine is joined to AD via adclient. 

Background:

CPM ( Central Password Manager )  is required to mimic what Cyber Ark does. Without using a CPM, it will be almost impossible to imitate CPM functionality.
CyberArk uses "expect" to interact with the servers, and the expect script gets confused when presented with numerous "#" characters, and seems to think it's seeing a root prompt when it's not.
The CyberArk Group Policy is used to force a "banner", telling people to remember to use their AD passwords, This banner included a border of octothorpes.
This confuses Cyberark's expect script, but because this is setup only on the Centrify connected servers, the issue is only seen on Centrified systems.

Resolution:
The root cause of the issue was the unique login banner text on Centrify-enabled systems.

Change the Group Policy to not use the "###" border in the banner.

This will allow Cyberark's expect script for Central Password Manager to function correctly.


 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6041: How to show current license type in use by adclient articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6882: User Fails su to an Active Directory Account on AIX. Error Appears: "There have been too many unsuccessful login attempts" articleKB-1689: Cannot 'su -' when using DirectAuthorize articleHow to Use DirectControl to Facilitate Kerberos-based Oracle SSO on Unix and Linux